Multiple Risky AD FS Sign In
Query
let query_frequency = 5m;
let query_period = 2d;
let _ADFSTokenIssuerNames = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "ADFSTokenIssuerName"
| summarize make_list(Auxiliar)
);
// let _ADFSResourceIdentities = toscalar(
// _GetWatchlist("Activity-ExpectedSignificantActivity")
// | where Activity == "ADFSTokenIssuerName"
// | summarize make_list(DestinationAddress)
// );
union (
AADUserRiskEvents
| where TimeGenerated > ago(query_period)
| where TokenIssuerType == "ADFederationServices"
| summarize FirstTimeGenerated = min(TimeGenerated), arg_max(TimeGenerated, *) by Id
| where FirstTimeGenerated > ago(query_frequency)
| extend AltAlertLink = strcat("https://entra.microsoft.com/#blade/Microsoft_AAD_IAM/RiskDetectionsBlade/riskState~/[]/userId/", UserId, "/riskLevel/[]/daysBack/90")// Someone wrote "90s" incorrectly in Defender XDR portal
| where case(
//RiskState == "dismissed" and RiskDetail == "aiConfirmedSigninSafe", false,
RiskState == "remediated" and RiskDetail == "userChangedPasswordOnPremises", false,
true
)
| project
//TimeGenerated,
ActivityDateTime,
DetectedDateTime,
Source,
Activity,
DetectionTimingType,
UserDisplayName,
UserPrincipalName,
UserId,
IpAddress,
RequestId,
CorrelationId,
TokenIssuerType,
RiskEventType,
RiskDetail,
RiskLevel,
RiskState,
AdditionalInfo,
Id,
AltAlertLink
),(
SigninLogs
| where TimeGenerated > ago(query_frequency)
| where TokenIssuerName has_any (_ADFSTokenIssuerNames) and RiskState == "atRisk" and not(RiskLevelAggregated == "none")
// and ResourceIdentity has_any (_ADFSResourceIdentities) and AppId == "NotApplicable" and ResourceDisplayName == "SSO"
// and TokenIssuerType == ???
| project
TimeGenerated,
CreatedDateTime,
Type,
UserDisplayName,
UserPrincipalName,
UserId,
AlternateSignInName,
SignInIdentifier,
UserType,
IPAddress,
AutonomousSystemNumber,
Location,
NetworkLocationDetails,
ResultType,
ResultSignature,
ResultDescription,
ClientAppUsed,
AppDisplayName,
ResourceDisplayName,
DeviceDetail,
UserAgent,
Status,
MfaDetail,
AuthenticationContextClassReferences,
AuthenticationDetails,
AuthenticationProcessingDetails,
AuthenticationProtocol,
AuthenticationRequirement,
AuthenticationRequirementPolicies,
SessionLifetimePolicies,
TokenIssuerType,
IncomingTokenType,
TokenProtectionStatusDetails,
ConditionalAccessStatus,
ConditionalAccessPolicies,
RiskDetail,
RiskEventTypes_V2,
RiskLevelAggregated,
RiskLevelDuringSignIn,
RiskState,
HomeTenantId,
ResourceTenantId,
CrossTenantAccessType,
AppId,
ResourceIdentity,
UniqueTokenIdentifier,
SessionId,
OriginalRequestId,
CorrelationId
)Explanation
This KQL (Kusto Query Language) script is designed to analyze and filter security-related events from two data sources: AADUserRiskEvents and SigninLogs. Here's a simplified explanation of what the query does:
-
Define Parameters:
query_frequency: Set to 5 minutes. This is used to filter events that have occurred within the last 5 minutes.query_period: Set to 2 days. This is used to filter events that have occurred within the last 2 days.
-
Retrieve ADFS Token Issuer Names:
- The query retrieves a list of expected ADFS (Active Directory Federation Services) token issuer names from a watchlist named "Activity-ExpectedSignificantActivity".
-
Analyze AAD User Risk Events:
- Filters
AADUserRiskEventsto include only those events generated within the last 2 days. - Further filters to include only events where the token issuer type is "ADFederationServices".
- Summarizes the events to get the first occurrence time and the most recent occurrence for each event ID.
- Filters out events that were remediated by a user changing their password on-premises.
- Projects (selects) specific fields for further analysis.
- Filters
-
Analyze Sign-in Logs:
- Filters
SigninLogsto include only those events generated within the last 5 minutes. - Further filters to include only events where the token issuer name matches any of the retrieved ADFS token issuer names, and the risk state is "atRisk" with a non-zero risk level.
- Projects (selects) a comprehensive set of fields for further analysis.
- Filters
-
Union of Results:
- Combines the filtered results from both
AADUserRiskEventsandSigninLogsinto a single dataset for further analysis or reporting.
- Combines the filtered results from both
Overall, this query is designed to identify and analyze potentially risky sign-in activities and user risk events related to ADFS, focusing on recent and significant activities.
Details

Jose Sebastián Canós
Released: September 17, 2025
Tables
AADUserRiskEventsSigninLogs
Keywords
ADFSTokenIssuerNameAADUserRiskEventsSigninLogsUserUserIdTokenIssuerTypeRiskStateRiskDetailRiskLevelRiskEventTypeRiskLevelAggregatedDeviceDetailAppIdResourceIdentity
Operators
lettoscalar_GetWatchlistwheresummarizemake_listunionagominarg_maxextendstrcatcaseprojecthas_anynot